DIFFERENTIALLY 4-UNIFORM FUNCTIONS 
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Abstract. We give a geometric characterization of vectorial Boolean 
functions with differential uniformity < 4. This enables us to give 
a necessary condition on the degree of the base field for a function 
of degree 2 r — 1 to be differentially 4-uniform. 



I. Introduction 

We are interested in vectorial Boolean functions from the F2- vectorial 
space F™ to itself in m variables, viewed as polynomial functions / : 
F2m — ► F2«i over the field F2m in one variable of degree at most 2 m — 1 . 
For a function / : F2m — ► F2m, we consider, after K. Nyberg (see [IE]), 
its differential uniformity 

5(f) = max G F 2 ™ | f(x + a) + f(x) = (3}. 

This is clearly a strictly positive even integer. 

Functions / with small 5(f) have applications in cryptography (see 
[1~6]). Such functions with 5(f) = 2 are called almost perfect nonlinear 
(APN) and have been extensively studied: see [16] and [9] for the 
genesis of the topic and more recently [3] and [5] for a synthesis of open 
problems; see also [7] for new constructions and [20J for a geometric 
point of view of differential uniformity. 

Functions with 5(f) = 4 are also useful; for example the function 
x 1 — > which is used in the AES algorithm over the field F 2 s, has 
differential uniformity 4 on F 2 m for any even m. Some results on these 
functions have been collected by C. Bracken and G. Leander [HE]. 

We consider here the class of functions / such that 5(f) < 4, called 
differentially 4-uniform functions. We will show that for polynomial 
functions / of degree d = 2 r — 1 such that 5(f) < 4 on the field F2m, the 
number m is bounded by an expression depending on d. The second 
author demonstrated the same bound in the case of APN functions 
[T7J HH]. The principle of the method we apply here was already used 
by H. Janwa et al. [13] to study cyclic codes and by A. Canteaut 
[H] to show that certain power functions could not be APN when the 
exponent is too large. 
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Henceforth we fix q = 2 m . 

In order to simplify our study of such functions, let us recall the 
following elementary results on differential uniformity; the proofs are 
st r aight forward : 

Proposition 1. (i) Adding a q-affine polynomial (i.e. a polynomial 
whose monomials are of degree or a power of 2) to a function f does 
not change 5(f). 

(ii) For all a, b and c in ¥ q , such that o ^ and c^O we have 

5(cf(ax + b))=5(f). 

(Hi) One has 5(f 2 ) = 5(f). 

Hence, without loss of generality, from now on we can assume that 
/ is a polynomial mapping from ¥ q to itself which has neither terms of 
degree a power of 2 nor a constant term, and which has at least one 
term of odd degree. 

To any function / : ¥ q — > ¥ q , we associate the polynomial 

f(x) + f(y) + f(z) + f(x + y + z). 
Since this polynomial is clearly divisible by 

(x + y)(x + z)(y + z), 
we can consider the polynomial 

p( , _ f(x) + f(y) + f(z) + f(x + y + z) 
/lWJ ' (x + y)(x + z)(y + z) 

which has degree deg(/) — 3 if deg(/) is not a power of 2. 

2. A CHARACTERIZATION OF FUNCTIONS WITH 5 < 4 

We will give, as in [17] . a geometric criterion for a function to have 
5 < 4. We consider in this section the algebraic set X defined by the 
elements (x, y, z,t) in the affine space A 4 (F g ) such that 

Pf(x,V,z) = P f (x,y,t) = 0. 

We set also V the hypersurface of the affine space A 4 (F g ) defined by 

(1) (x + y)(x + z)(x + t)(y + z)(y + t)(z + t)(x + y + z + t) = 0. 

The hypersurface V is the union of the seven hyperplanes Hi, . . . , 
Hi defined respectively by the equations x + y = 0, . . . , x + y + z+t = 0. 
We begin with a simple lemma: 

Lemma 2. The following two properties are equivalent: 

(i) there exist 6 distinct elements XQ,Xi,X2,x^,Xi,x^ in ¥ q such that 

x + x 1 = a, f(x ) + f(xi) = (3 
x 2 + x 3 = a, f(x 2 ) + f(x 3 )=(3 
x 4 + x 5 = a, f(x 4 ) + f(x 5 )=f3 
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(ii) there exist 4 distinct elements x ,Xi,x 2 ,x 4 in ¥ q such that x + 
x\ + £ 2 + x 4 7^ and such that 

/(x ) + f( Xl ) + f(x 2 ) + /(x + x 1 + x 2 ) = 
f(x ) + /(xi) + /(x 4 ) + f(x + Xi + x 4 ) = 0. 

Proof. Suppose that (i) is true. Then we have x +Xi+x 2 = a+x 2 = x 3 
and so f(x ) + f(x 1 ) + f(x 2 ) + f(x + x 1 +x 2 ) = f(x ) + f(x 1 ) + f(x 2 ) + 
f(xs) = 0. The second equation holds true in the same way. Finally, 
we have xq + x\ + x 2 + £4 = £3 + £4 7^ 0. 

Conversely, let us set a = xo + x±, (3 = f(xo) + f(xi) and X3 = 
a + £ 2 = £ + £1 + £2- Then f(x 2 ) + /(x 3 ) = f(x 2 ) + /(x + £1 + £2) = 
f( x o) + /(£i) = P- Furthermore, we have £3 7^ £ because £1 7^ x 2 and 
we have £3 7^ £1 since otherwise we would have x 2 = a + £3 = a + X\ = 

Setting x 5 = a + £4 = £ + £1 + £4 we have f(xi) + f(x 5 ) = f{xi) + 
f(x + £1 + £4) = f(x ) + f(xx) = p. We have £ 3 7^ £ 4 since otherwise 
we would have = £3 + £4 = £0 + £1 + x 2 + £4 which is not the case 
by hypothesis. 

Finally £3 7^ £5 since otherwise we would have x 2 = £4, and so all 
the six elements £0, £1, £ 2 , £3, £4, £5 are different. □ 

We can now state a geometric characterization of differentially 4- 
uniform functions: 

Theorem 3. The differential uniformity of a function f : ¥ q — > ¥ q is 
not larger than 4 if and only if: 

X(¥ q ) C V 

where X(¥ q ) denotes the set of rational points over ¥ q of X . 

Proof. The differential uniformity is not larger than 4 if and only if for 
any a G F* and any (3 6 ¥ q , the equation 

f{x + a) + f(x)=/3 

has at most 4 solutions, that is to say 

%{xE¥ q \f(x) + f(y) = P, x + y = a}<4. 

But this is equivalent to saying that we cannot find 6 distinct elements 
£0, Xi, £2, £3, £4, £5 in ¥ q such that 

£ + £i = a, f(x ) + f(xi) = P 
£ 2 + £ 3 = a, f(x 2 ) + f(x 3 )={3 
£ 4 + £5 = a, /O4) + f{x 5 ) = P- 

By the previous lemma, this is equivalent to saying that we cannot find 
4 distinct elements x , £1, £2, £4 in ¥ q such that x + X\ + £ 2 + £4 7^ 
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and such that 



fM + /(xi) + f{x 2 ) + f{x + Xl + x 2 ) = 
f(x ) + f(xi) + f(x A ) + f(x + x x + x 4 ) = 0. 



But this can be reformulated by saying that the rational points over 
¥ q of the variety X are contained in the variety V, that is to say 



then the polynomials Pf(x, y, z) and Pf(x, y, t) are homogeneous poly- 
nomials and we can consider the intersection X of the projective cones 
Si and S 2 of dimension 2 defined respectively by Pf(x,y,z) = and 
Pf(x,y,t) = with projective coordinates (x : y : z : t) in the projec- 
tive space P 3 (F 9 ). 

Even if X is now a projective algebraic subset of the projective space 
P 3 (F g ), Theorem [3] tells us also that: 



where V is the hypersurface of P 3 (Fq) defined by Equation ([T]). 

Indeed, the algebraic sets X and V in this section are closely related 
to but not equal to the sets X and V of the previous section. The 
set X of this section (resp. V) is the set of lines through the origin of 
the set X (resp. V) of the previous section which is invariant under 
homotheties with center the origin. For convenience, we keep the same 
notations. 

Lemma 4. The projective algebraic set X has dimension 1, i.e. it is 
a projective curve. 

Proof. We have to show that the projective surfaces S\ and S 2 do not 
have common irreducible components. Since S\ and S 2 are two cones, 
it is enough to prove that the vertex of one of the cones doesn't lie 
in the other cone. The coordinates of the vertex of the cone S 2 is 
(0:0:1:0). To show that it doesn't lie in Si, we will prove that 
Pf(0 : : 1 : 0) 7^ 0. Indeed, Si is defined by the polynomial 



X(¥ g ) C V. 



□ 



3. Monomial functions with 5 < 4 




6(f) < 4 if and only if X(W q ) C V, 



Pf(x,y,z) 



x d + y d + z d + (x + y + z) d 
(x + y)(x + z)(y + z) 



Setting x + y = u, we obtain: 



P f (x,y,z) 



x d + (x + u) d + z d + [u + z) d 
u(x + z)(x + u + z) 
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which gives 

n , s x d ~ l + z d ~ l + uQ(x,z) 

PfiX.y.Z) = : T7 : , 

n y ; (x + z)(x + u + z) 
where Q is some polynomial in x and z. This expression takes the value 
1 at the point (0:0:1:0). □ 

Now we know that X is a projective curve in P 3 (F g ), and in order to 
estimate its number of rational points over ¥ q , we must determine its 
irreducibility. We will prove that the curve Cj, defined as the intersec- 
tion of £2 with the projective plane H 7 of equation x+y+z+t = 0, is an 
absolutely irreducible component of X, and hence that X is reducible. 

Proposition 5. The intersection of the curve X with the plane H 7 
with the equation x + y + z + t = 0is equal to the curve CV := S2 PI H7. 

Proof. Since X — Si D S2, it is enough to prove that Cj C S±. Since 
t = x + y + z the points of intersection of the cone S2 with the plane 
x + y + z + t = satisfy: 

x d + y d + t d + (x + y + t) d 



= P f (x jyj t) 



(x + y)(x + t)(y + t) 
x d + y d + (x + y + z) d + z d 



(x + y)(y + z)(x + z) 
= Pf(x,y t z), 

so they belong to Si. □ 

Proposition 6. The projective plane curve CV is isomorphic to the 
projective plane curve C with equation 

n , s x d + y d + z d + (x + y + z) d 

PflX, V, Z) = ; — — r = 0. 

7 (x + y)(x + z)(y + z) 

Proof. The projection from the vertex of the cone Si defines an iso- 
morphism of the projective plane H7 with equation x + y + z + t = 
onto the plane with equation t — 0, and it maps C7 onto the curve C 
with equation Pf(x, y, z) — 0. □ 

Proposition 7. Let C be a plane curve of degree deg(C) and which is 
not contained in V . Then: 

#(CnV)(F g )<7deg(C). 

Proof. The variety V is the union of seven projective planes. Each 
plane cannot contain more than deg(C) points, therefore V contains at 
most 7deg(C) rational points in C. □ 

In order to get a lower bound for the number of rational points over 
¥ q on the curve C, hence on the curve X, we need to know if C is 
absolutely irreducible or not. This question has been discussed by H. 
Janwa, G. McGuire and R. M. Wilson in [14] and very recently by F. 
Hernando and G. McGuire in 1101. 
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Proposition 8. If d = 2 r — 1 with r > 3, then the projective curve X 
has an absolutely irreducible component C defined over F 2 in the plane 
x + z + t = and this component C is isomorphic to the curve C . 

Proof. One checks that the intersection of the cone S\ with the plane 
x + 2; + t = 0is the same as the intersection of the cone S2 with that 
plane. Hence one can show, as in Proposition El that the intersection 
of the curve X with the plane x + z + t = 0is isomorphic to the curve 
C . Furthermore, it is proved in [H] that the curve C is absolutely 
irreducible since, deg(C) = 2 r — 1 = 3 (mod 4). □ 

Hence we can state 

Theorem 9. Consider the function f : ¥ q — >• ¥ q defined by f(x) = x d 
with d = 2 r — 1 andr > 3. If5<d< g x / 4 + 4.6 , then f has differential 
uniformity strictly greater than 4- 



Proof. The curve C is an absolutely irreducible plane curve of arith- 
metic genus Tic = (d — 4)(d — 5)/2. According to P (see also [2] for a 
more general statement), the number of rational points of the (possibly 
singular) absolutely irreducible curve C satisfies 



The maximum number of rational points on the curve C on the 
surface V is 7(d - 3) by Proposition If q+ 1 - 2n c q 1/2 > 7(d - 3), 
then C'(¥ q ) <jt V, therefore X(¥ q ) <£ V, and 5(f) > 4 by Theorem [3 
But this condition is equivalent to 



#C"(F ff )-( 9 + l)| <2n c ,q 



1/2 



Hence 



#C"(F 9 ) > q+ l-27i c ,q 



1/2 



q - 2ix cl q 



/2 -7(d-3) + l>0. 



The condition is satisfied when 




hence when 



q>d 4 - 18d 3 + 121c/ 2 - 348c/ + 362 



or 



5 < d < q l/i + 4.6. 



□ 
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4. Polynomials functions with S < 4 

If the function / is a polynomial of one variable with coefficients in 
¥ q of degree d > 3, we consider again as in section [3] the intersection X 
of S\ and 5*2, which are now cylinders in the affine space A 4 (F 9 ) with 
equations respectively Pf(x, y, z) — and Pf(x, y, t) — and which are 
of dimension 3 as affine varieties. 

Lemma 10. The algebraic set X has dimension 2, i.e. it is an affine 
surface. Moreover, it has degree (d — 3) 2 . 

Proof. We have to show that the hypersurfaces Si and S2 do not have 
a common irreducible component. Since these hypersurfaces are two 
cylinders, it is enough to prove that the polynomial defining Si does 
not vanish on the whole of a straight line (xo,yo, z, to) where xo,yo,to 
are fixed and satisfy Pf(xo,yo,t ) = 0. Indeed, Si is defined by the 
polynomial Pf(x, y, z), which takes the value 

p ( /(so) + f(Vo) + f(z) + fjxp + yo + z) 

^ X ^ Z) ~ (x + y )(x + z)(y + z) 

at the point (x , y , z, t ). If we set x + y = s , the homogeneous term 
of degree di in Pf(x,y,z) becomes 

djjxf" 1 + z^- 1 ) + s Qi(x , z) 

(z + s + x )(z + x ) 

where Qi is a polynomial in xq and z of degree di — 2. If di is odd, the 
numerator of this term is of degree di — 2, and hence does not vanish, so 
it is the same for the polynomial Pf(xo, yo, z). Hence, X has dimension 
2. Moreover, X is the intersection of two hypersurfaces of degree d — 3, 
thus it has degree (d — 3) 2 . □ 

The surface X is reducible. Let X = [j i Xi be its decomposition in 
absolutely irreducible components. 

We embed the affine surface X into a projective space P 4 (F g ) with 
homogeneous coordinates (x : y : z : t : u). Consider the hyperplane 
at infinity defined by the equation u = and let X^ be the in- 
tersection of the projective closure X of X with H^. Then Xoo is the 
intersection of two surfaces in this hyperplane, which are respectively 
the intersections Si j00 and S^oo of the cylinders Si and S2 with that 
hyperplane. The homogeneous equations of Si j00 and S^oo are 

x d + y d + z d + (x + y + z) d 



P x d(x,y,z) 
and 

P x d(x,y,t) 



(x + y)(x + z)(y + z) 
x d + y d + t d + (x + y + t) d 



(x + y)(x + t)(y + t) 
By Proposition [HI the intersection of the curve X^ with the plane x+ 
z + 1 = (inside the hyperplane at infinity) is an absolutely irreducible 
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component C of the curve X^ of multiplicity 1, denned over F 2 . So the 
only absolutely irreducible component of X, say X\, which contains C 
is defined over ¥ q . 

Proposition 11. Let X be an absolutely irreducible projective surface 
of degree > 1. Then the maximum number of rational points on X 
which are contained in the hyper surf ace V U Hoc is 

^Xn(VUH 00 ))<8(deg(X)q + l). 

Proof. As deg(X) > 1, the surface X is not contained in any hyper- 
plane. Thus, a hyperplane section of X is a curve of degree deg(X). 
Using the bound on the maximum number of rational points on a gen- 
eral hypersurface of given degree proved by Serre in [19], we get the 
result. □ 

Theorem 12. Consider a function f : ¥ q — > ¥ q of degree d = 2 r — 1 
with r > 3. J/ 31 < d < q 1/8 + 2, then 5(f) > 4. For d < 31, we get 
5(f) > 4 for d = 7 and m > 22 and also if d = 15 and m > 30. 

Proof. From an improvement of a result of S. Lang and A. Weil [TS] 
proved by S. Ghorpade and G. Lachaud (TTJ section 11], we deduce 

\#X 1 (¥ q )-q 2 -q-l\ < ((d-3) 2 -l)((rf-3) 2 -2)g 3 / 2 + 36(2d-3) 5 g 

< (d-3)V /2 + 36(2c/-3) 5 g. 

Hence 

#X 1 (¥ q ) >q 2 + q + l-(d- 3)V /2 ~ 36(2rf - 3) 5 g. 
Therefore, if 

q 2 + q + 1 - (d - 3) V /2 ~ 36(2rf - 3) 5 g > 8((d - 3)q + 1), 

then #X(F g ) > #Xi(F 5 ) > 8((d-3)g+l), and hence Xi(¥ q ) <£ VUH^ 
by Proposition [TTJ As X is the set of affine points of the projective 
surface X, we deduce that X(¥ q ) <f_ V and so the differential uniformity 
of / is at least 6 from Theorem [3l This condition can be written 

q-(d- 3) V /2 - 36(2d - 3) 5 - 8(d - 3) > 0. 

This condition is satisfied when 

q 1/2 > d 4 - 12rf 3 + 54rf 2 + 1044d + 5265 + 25920/d 

ifd>2, orrf<g 1 /8 + 2 ifrf>3i. □ 
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